Can caddy merge ip_ranges?

Help
1

Caddy version (caddy version):

v2.4.5 h1:P1mRs6V2cMcagSPn+NWpD+OEYUYLIf6ecOa48cFGeUg=

Caddyfile or JSON config:


"a" 27L, 641B written
(blacklists) {
    # From private_ranges: 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 fd00::/8 ::1
    # Docker bridge network 172.17.0.1/16
    @not_me {
        not remote_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 fd00::/8 ::1 172.17.0.1/16 123.123.123.123/32
    }
    @not_wife {
        not remote_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 fd00::/8 ::1 172.17.0.1/16 456.456.456.456/32
    }
    @not_me_or_wife {
        not remote_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 fd00::/8 ::1 172.17.0.1/16 123.123.123.123/32 456.456.456.456/32
    }
}

mine.foo.com {
    handle @not_me {
        respond "Access denied" 403 {
            close
        }
    }
    reverse_proxy localhost:8000
}

mine_and_wifes.foo.com {
    handle @not_me_or_wife {
        respond "Access denied" 403 {
            close
        }
    }
    reverse_proxy localhost:8001
}

wife.foo.com {
    handle @not_wife {
        respond "Access denied" 403 {
            close
        }
    }
    reverse_proxy localhost:8002
}

The question:

Is there a way to simplify the blacklists sections by merging remote IPs? I know I could have multiple @handles for each domain instead of a single one but I’m looking not to do that and instead do something like:


"a" 27L, 641B written
(blacklists) {
    @self { 
        remote_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 fd00::/8 ::1
    }
    @needed { 
        @self
        remote_ip 172.17.0.1/16
    }
    @me {
        @needed
        remote_ip 123.123.123.123/32
    }
    @not_me { not { @me } }
    @wife {
        @needed
        remote_ip 456.456.456.456/32
    }
    @not_wife { not { @wife } }
    @not_me_or_wife { not { @me @wife } }
}
mine.foo.com {
    handle @not_me {
        respond "Access denied" 403 {
            close
        }
    }
    reverse_proxy localhost:8000
}

mine_and_wifes.foo.com {
    handle @not_me_or_wife {
        respond "Access denied" 403 {
            close
        }
    }
    reverse_proxy localhost:8001
}

wife.foo.com {
    handle @not_wife {
        respond "Access denied" 403 {
            close
        }
    }
    reverse_proxy localhost:8002
}
``` Can caddy merge ip_ranges?
2

Unfortunately no, we don’t have support for using matchers in other matchers (yet). We’d like to get it in at some point, but it’s really complicated. It seems simple, but it’s unfortunately not.

But actually in your case, we have a change in v2.5.1 that makes your config way shorter. We added a private_ranges shortcut to the remote_ip matcher which expands out to all the private IP ranges (both IPv4 and IPv6). So your matchers would just look like this:

@not_me not remote_ip private_ranges 123.123.123.123/32
@not_wife not remote_ip private_ranges 456.456.456.456/32
@not_me_or_wife not remote_ip private_ranges 123.123.123.123/32 456.456.456.456/32

I don’t think you don’t need the /32 btw, I think you can omit the CIDR range when it’s a single IP. Slightly shorter.

Also note, you can’t have braces and contents on the same line, you must use newlines if you use braces. But if you only have one matcher in your named matcher, you can inline it without braces.

I’d recommend using abort instead of respond probably, it’ll just close the connection and that’s it – faster, doesn’t try to write a response. It’s a better way to deal with bots or whatever, but it could look confusing to legitimate users who didn’t match the IP ranges.

Also, you don’t need the wrapping handle, you can just put the matcher right on abort/respond. It will work fine because both of those have higher directive orders than reverse_proxy.

3 Likes
3

This topic was automatically closed after 30 days. New replies are no longer allowed.